CompTIA PenTest+ (PT0-002) — Question 91

A company hired a penetration-testing team to review the cyber-physical systems in a manufacturing plant. The team immediately discovered the supervisory systems and PLCs are both connected to the company intranet.
Which of the following assumptions, if made by the penetration-testing team, is MOST likely to be valid?

Answer options

• A. PLCs will not act upon commands injected over the network.
• B. Supervisors and controllers are on a separate virtual network by default.
• C. Controllers will not validate the origin of commands.
• D. Supervisory systems will detect a malicious injection of code/commands.

Correct answer: C

Explanation

The correct answer, C, is valid because many controllers do not implement strict validation protocols for the origin of commands, making them vulnerable to unauthorized access. Options A and D are incorrect since PLCs can respond to network commands and supervisory systems may not have adequate detection mechanisms in place. Option B is also invalid as it is not a default practice for supervisory systems and controllers to be isolated on a separate virtual network.